Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

Data breach lessons for website owners
Neil Sanson
20 July 2016

Online client portals can be great for customer service. They can be constantly updated, improved and extended. This flexibility is delivered by a complex collection of software and, unfortunately, complexity easily gives rise to difficulties. The impact of these difficulties can, however, be minimised if you take steps to avoid problems occurring, or respond quickly to them.

One type of problem that can occur on a website is when the system displays someone else‘s information when a user tries to log in to their account. There are many ways this can happen, and the way it happens will determine the impact. The impact can range from seeing someone else’s login identity - a name or an email address - to actually getting access to their account.

We started recording data breaches in 2009. Since then, breaches that allowed some degree of access to other user’s accounts made up 18 out of the 42 data breaches involving websites. These are the ones we know of. We do not know about the breaches that were not reported to us.

Why do these happen?

Websites that give access to customer data are inherently risky - risk that is incurred every time any of the software is implemented or changed.

The software packages that operate together to make the website work (or not work) are individually not simple. And when they are integrated with each other, these packages need to be able to handle just the expected information from users but also any mistakes that can be made. Problems can occur within one of the packages, or when information is transferred from one to another.

Updates also contribute to the complexity of operating websites. Even if the content is not changed, the software packages will need to be upgraded with new versions. Often these new versions remove vulnerabilities that could allow the website to be hacked. Not installing these updates or patches leaves the website open to hackers who might be after the personal information in the system.

What you can do as a website owner

If you have a website, there are steps you can take at each stage of the lifecycle of the website to minimise the problems.

1. Plan well

Ideally, problems are avoided by good design. “Privacy by Design” is a concept that is very useful when considering customer portals.

A tool that can help with Privacy by Design is a Privacy Impact Assessment. This exercise will help everyone understand the risks to the people whose information will be handled by the system. If you are using the Agile methodology, then the preliminary assessment would be conducted as an early sprint.

2. Build using OWASP guidelines

The Open Web Application Security Project (OWASP) has produced guidance for web developers (which it is currently in the process of redeveloping). The OWASP Top Ten represents a broad consensus of the most critical web application security flaws.

3. Carry out tests

After the website is built or re-built, have it independently tested. This is a better way of finding problems than relying on getting a call or email tip-off or complaint from a user.

4. Prepare for disasters

Plan to manage a breach. Despite everyone’s efforts, a breach may still occur. You will be able to cope better if you have planned for the eventuality.

5. Listen to your users

Make it easy for people to report problems to you. In the instances we know about, the users who spot the problem are generally prompt about reporting it to the website owner. The agencies involved have also been prompt at closing down the access until the problem has been fixed. This reduces the risk.

Make sure you have easy-to-find contact details to help the user report the breach or vulnerability to someone in your organisation who will know what to do. Consider having a responsible disclosure policy so that people reporting problems to you are not worried you might blame them.

Comments

I think you forgot the biggest item: people do not want to pay for security. Try selling security services, or in-depth protection. The biggest advance we can make in this space is to allow a Common Law approach and allow affected parties to sue companies that failed to protect their data.

Post Reply

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Suing is solely pecuniary, tangential to the issue and it would restrict access to justice to those who could afford hearing de novo on such issues.

Must strongly disagree with your 'common' law idea, as there is more evidence and examples of success using mandatory disclosure and public reporting of breaches. Corporations already have a weak incentive to protect data in the deleterious effect breaches have on their public relations, mandatory reporting would build on this while suing would synthesise an incentive to hide breaches.

Post Reply

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.